The information has been provided by CORE Security Technologies Advisories.
The original article can be found at: http://www.coresecurity.com/?action=item&id=2103
* MPlayer version 1.0rc2 and SVN before r25917 (Tue Jan 29 22:00:58 2008 UTC)
* Xine-lib version 1.1.10
* MPlayer SVN HEAD after r25917
* MPlayer version 1.0rc2 + security patches
A fix for this problem was committed to SVN on the MPlayer project . Users of affected MPlayer versions should download a patch  for MPlayer 1.0rc2 or update to the latest version if they are using SVN.
The vulnerability was found in the following code, used to parse FLAC comments inside MPlayer:
206 case FLAC_VORBIS_COMMENT:
208 /* For a description of the format please have a look at */
209 /* http://www.xiph.org/vorbis/doc/v-comment.html */
211 uint32_t length, comment_list_len;
212 (1) char comments[blk_len];
213 uint8_t *ptr = comments;
214 char *comment;
215 int cn;
216 char c;
218 if (stream_read (s, comments, blk_len) == blk_len)
220 (2) length = AV_RL32(ptr);
221 ptr += 4 + length;
223 comment_list_len = AV_RL32(ptr);
224 ptr += 4;
226 cn = 0;
227 for (; cn < comment_list_len; cn++)
229 length = AV_RL32(ptr);
230 ptr += 4;
232 comment = ptr;
233 (3) c = comment[length];
234 comment[length] = 0; ...
We can see in (2) that the length variable is being loaded from a position on the file stream, and then used without any validation to index the comment buffer, that was allocated from the stack in (1). This causes a stack corruption, and possibly allows code execution (e.g. modifying the value of the length variable, that is also on the stack).
Example Attack Scenario:
1) The user receives an email with an attachment called e.g. goodmusic.flac.
2) The user opens the file with MPlayer or another vulnerable software.
3) This causes a stack corruption and malicious code execution on the user computer.
* 2007-12-18: Core Security Technologies notifies the MPlayer team of the vulnerability (no reply received).
* 2008-01-04: A new notification of the vulnerability was sent to the MPlayer team (no reply received).
* 2008-01-18: A new notification of the vulnerability was sent to the MPlayer team.
* 2008-01-18: The MPlayer team asked Core Security Technologies for technical description of the vulnerability.
* 2008-01-22: Technical details was sent to MPlayer team by Core Security Technologies.
* 2008-01-28: MPlayer notified Core Security Technologies that a fix had been produced.
* 2008-02-04: CORE-2007-1218 advisory was published.